Open mpgr04 opened 4 years ago
The expiration of the session in your database applies server-side. This module has a function that clears expired sessions at a set interval - the time between checks can be configured. If the server deletes a session record from the database, the next time that the client with the corresponding session cookie visits your website, the server will not be able to find its session in the database. So the server will generate a new session for that client.
The expiration of the session cookie applies on the client-side (browser). Once a cookie has reached its expiration time, the browser should delete it. The client will no longer send its session cookie to your server. The next time that client visits your website, the server will create a new session for that client.
I was confused about this too. To clarify,
session_id |
expires |
data |
---|---|---|
3phuQRt... |
1656693448 |
{"cookie":{"expires":"2022-07-01T16:37:27.897Z",...},...} |
This expires time is used internally by express-mysql-session to track when sessions should be deleted from the database. It's for cleaning up old sessions. |
Here, data.cookie.expires is the actual time that the user's cookie expires, which is effectively when the user will need to log in again. For most purposes, this is the value that you should check. |
Hopefully I am understanding correctly. I spent a while trying to figure out why the expires
field kept on creeping forward while the session was never being modified or touch()
-ed anywhere in my code. Then I realized I should instead be checking data.cookie.expires
to find out how much time the user had left.
As far as I noticed, both the session cookie has a lifetime and the entry in the mysql session store of this module. Must both expiry times have the same value or is one of them unnecessary? As soon as I call a session destroy both variants will be removed anyway, both database entry and cookie, but how is it when the expiration period is exceeded?
Thanks!